From 04f5053a7ada491b5de5423f4239e7c0e742bbc8 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Mon, 13 Jul 2020 17:34:41 -0700
Subject: [PATCH] Add template support for x5c.

---
 authority/provisioner/x5c.go | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
index 6f7d0a5f..5712c7ed 100644
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
 
@@ -24,10 +25,11 @@ type x5cPayload struct {
 // signature requests.
 type X5C struct {
 	*base
-	Type      string  `json:"type"`
-	Name      string  `json:"name"`
-	Roots     []byte  `json:"roots"`
-	Claims    *Claims `json:"claims,omitempty"`
+	Type      string              `json:"type"`
+	Name      string              `json:"name"`
+	Roots     []byte              `json:"roots"`
+	Claims    *Claims             `json:"claims,omitempty"`
+	Options   *ProvisionerOptions `json:"options,omitempty"`
 	claimer   *Claimer
 	audiences Audiences
 	rootPool  *x509.CertPool
@@ -193,7 +195,17 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		claims.SANs = []string{claims.Subject}
 	}
 
+	// Certificate templates
+	data := x509util.CreateTemplateData(claims.Subject, claims.SANs)
+	data.SetToken(claims)
+
+	templateOptions, err := TemplateOptions(p.Options, data)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
+	}
+
 	return []SignOption{
+		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
 		profileLimitDuration{p.claimer.DefaultTLSCertDuration(),